When it comes to next-generation security, business risk portfolio management should be top of mind for companies, and there's a lot to think about in terms of technologies and product classes. That's according to Nemertes Research CEO Johna Till Johnson.
In part one of this webcast, Johnson advises CIOs and their IT departments on where to start when it comes to next-generation security. Then, in part two she delves into the importance of creating a functional IT security roadmap. Here in part three, Johnson explains her detailed visual for thinking about business risk portfolio management and determining the product classes that should be considered.
Listen to the webcast and read the transcript below to better understand Johnson's thoughts on infosec infrastructure and architecture.
Let's talk about what [a next-generation information security architecture] means in terms of products. Think about this [chart] in a sense almost going from the outside in or the bottom up.
At the bottom, you've got all the resources that you're protecting, the things that you have to classify and think about in the previous slide#. So applications, middleware, storage, hypervisors, servers, containers (another form of virtual resources), desktops, mobile devices, Internet of Things devices, sensors -- everything you can think about that's a resource [needs] to [be protected].
Oh, by the way, over on the left-hand side,
that's cloud. Cloud isn't a single unitary resource, as you can imagine. It's a lot more than that. It's a place that a lot of these resources often live. But you have to think about cloud separately, not because the technology for protecting it is separate, but because that's an area that a lot of organizations are just beginning to grapple with. So you don't want to forget about it.
Johna Till JohnsonCEO, Nemertes Research
Over to the right [Figure 1] are threat, compliance and risk networks. These are the networks that will tell you -- as I talked about before -- whether you have vulnerabilities, whether there are threats in your neighborhood, and whether there are attacks under way. And, above all, that top arrow [will tell you] what risk any of this poses to the organization.
That's an incredibly important piece of all of this because, again, you have to tie everything back to the business risk. We talk about business risk portfolio management as a way to look at all of this. And you look at your entire portfolio of risk and think about how information security risks play into each of these risks.
Focus on protection systems in risk portfolio management
Then if you're going from the outside in, you have the protection systems, so that's the greenish strand [in Figure 1]. These are the protections systems like secure Web gateways (SWG), next-generation firewalls (NGFW), data leakage protection/data loss protection (DLP), antimalware (AM), endpoint security -- all of the protection systems that are designed as your frontline protection for those resources around the outside [of the green circle].
Advanced security and user behavior analytics
Then above that, you move into the realm of advanced security analytics. That's SIEM, security operational intelligence and IDS/IPS, which is also helping you with that threat detection and threat prevention. Then at the top [Figure 1], there's user behavioral analytics (UBA), which is analytics that's focused on looking at the entire big picture and seeing what devices and what users are behaving anomalously in your environment. That is a very key emerging area of technology that we'll talk about in a little bit.
In a sense, for every box on this chart, there is at least one category of products that provides the capabilities in that. We're going to go through the next several slides drilling down into some of the emerging technologies that are of greatest interest as we're building this next-generation security infrastructure and architecture.
One last thing before I move ahead on this: The word "infrastructure" appears because there is also an infosec application architecture. Don't forget about protecting your applications. I will tell you that most organizations do. Or, their protection mechanisms are woefully out of date. They're manual scans that happen once the software is ready to get deployed and not built into the entire process. Bad idea.